The Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. The intent of the BOD is to address the remediation of vulnerabilities which are being actively exploited by adversaries. CISA has also created a public catalog of pertinent vulnerabilities. The catalog will be updated regularly and members are encouraged to register to receive notification when new vulnerabilities are added. This BOD is binding for Federal agencies, but all organizations – private businesses, industry, and state, local, tribal and territorial (SLTT) governments – are strongly encouraged to prioritize mitigation of these vulnerabilities. This call for addressing known vulnerabilities emphasizes previous WaterISAC recommendations to protect your utility from compromise – including ransomware – due to devices left unpatched or otherwise unprotected. Read the Binding Operational Directive and access the Catalog of Known Exploited Vulnerabilities at CISA.
Additional WaterISAC posts for reference:
- Ransomware Resilience – Deferred Patching Could Result in a Ransomware Attack
- Critical SSL VPN Vulnerabilities Across Multiple Products – Please Patch ‘em if you Got ‘em
- Patching Vulnerabilities is Hard, Exploiting Unpatched Vulnerabilities…Not So Much
To assist public and private sector partners, CISA invites participants to a cross-sector stakeholder call:
Meeting Date: Friday, Nov 5, 2021
Meeting Time: 2:00pm – 2:30pm EST
Dial-in information: 1-415-228-4585 (Toll Free # 800-857-6546)
Access code: 2170340
